Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-00.txt

It is weird that we even need to state here that we the five RIRs are not going to break things intentionally, but, yeah, LACNIC will not break things intentionally either. Engineering for resiliency is as much a necessity as engineering for security. If the damage caused by the failures of the so

Re: [sidr] RPKI utility vs fragility

Hi Doug, Yes, it is true that BGPSEC only has two states (valid/not valid) and there is also a raft of hand-waving around the implementation of those states, eg the draft cites local policy, for whatever that is worth. Taking a step back, this might well go further than just the Valid/NotFound st

Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-00.txt

Hi, On Jul 25, 2014, at 9:09 AM, Byron Ellacott wrote: > Hi, > > From: Stephen Kent > Date: Thursday, 24 July 2014 5:20 pm > To: Tim Bruijnzeels > Cc: "sidr@ietf.org" > Subject: Re: [sidr] I-D Action: > draft-ietf-sidr-rpki-validation-reconsidered-00.txt > > Tim, > > I think I was not cle

Re: [sidr] comment on draft-ietf-sidr-bgpsec-protocol and draft-ietf-sidr-bgpsec-ops

Sandy, Speaking as regular ol' member The bgpsec-protocol draft has the following text: Next, the BGPSEC speaker verifies that the origin AS is authorized to advertise the prefix in question. To do this, consult the valid ROA data to obtain a list of AS numbers that are associated

Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-00.txt

Byron, Thanks for providing the details of what APNIC does. Those are precisely the sort of checks I would hope for. I agree that if APNIC had IANA as its parent, then the issue you cited would be relevant, i.e., you can't know if IANA issued a new cert that removed an INR from your cert, w

[sidr] RPKI utility vs fragility

… To follow up on the last couple of comments of the session … the large resource bundles also contain AS numbers … while we can claim NOTFOUND might help routing robustness in RPKI malfunctions … there is no such 3rd state in path validation. The path becomes INVALID in such cases. Of course th

[sidr] Proposal to protect against the "Dutch Police Attack"

All We (at Boston University) have a proposal that protects against the "Dutch Police Attack" where the RPKI is used for IP prefix takedowns. The proposal, which will appear at SIGCOMM next month, is in section 5 of this paper: http://www.cs.bu.edu/~goldbe/papers/sigRPKI_full.pdf This proposal

Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-00.txt

Hi, From: Stephen Kent mailto:k...@bbn.com>> Date: Thursday, 24 July 2014 5:20 pm To: Tim Bruijnzeels mailto:t...@ripe.net>> Cc: "sidr@ietf.org" mailto:sidr@ietf.org>> Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-00.txt Tim, I think I was no

[sidr] Fwd: [GROW] Meeting information IETF90

speaking as regular ol' member I noticed this on the GROW list. Sriram mentioned this draft on the sidr list a few weeks ago. It will be presented in GROW, which is after SIDR this morning. This work proposes adding new info to the bgpsec protocol to detect route leaks. --Sandy, speaking as